Information Technology Reference
In-Depth Information
Implementing “Single Sign-Out”
Our experience has shown us that while business units often demand Single
Sign-
On
for their users, they don't realise that an unintended consequence is
that it no longer makes sense to speak of logging out of any single
application. The term “Single Sign-
Out
” is sometimes talked about, but this
(if implemented) can be quite irritating from a usability perspective.
Remember that Single Sign-On is defined for
the environment as a whole
and
is governed by a single SSO token stored in a cookie on the user's browser.
The SSO token is usually valid for many hours, usually a full working day, so
that a user does not have to log in again once they have done so at the start
of their working day. In contrast, service tickets or application access tokens
typically expire after a few minutes, and it is only the validity of an
application's web session that governs the need for a user to be revalidated
by the SSO server. Logging out of an application in most cases involves
invalidating the web session (and perhaps the service ticket), but
importantly,
this does not prevent the user from transparently regaining
access to the application
.
The reason for this behaviour is that an application interceptor may redirect
a user back to the SSO server if the web session or service ticket is no longer
valid, but as long as the SSO token is still valid, the user will not be
challenged for their login credentials again. After all, this is the required
behaviour for SSO. The SSO server will check the user's access rights against
the IAM database and as long as the access is still granted, will
silently
generate a fresh service ticket which will let the user into the application
once more.
The effect of this is that a user cannot be logged out of any application as
long as their SSO session is valid. This comes as a bit of a shock to business
owners and even some security people because it implies that an open
browser can be used by any passer-by to gain access to sensitive
applications, even if the legitimate user has “logged out” of them and closed
the relevant browser tabs.
Note that while this behaviour is definitely less secure than what we had
with standalone applications, it is not a bug or a drawback with IAM or with
Single Sign-On, merely a failure to understand the implications of the Single
Sign-On feature that is otherwise desired.
